igm/publisher-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Session.id type and restore nested passkey routes

Browse Source 
- Change Session.id from number to string to match DB bigint type
- Restore me.passkeys.{list,rename,delete} nested route structure
- Remove unnecessary String() conversion in logout procedure
- Auto-formatted procedure files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
RevIQ
2026-01-09 15:44:45 +08:00
parent 1858ea9783
commit 617fa78046
7 changed files with 285 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/api-server/src/middleware/auth.ts
View File

@@ -113,14 +113,14 @@ export const createAuthMiddleware = () => {
const sessionInfo: Session = session
? {
id: Number(session.id),
id: session.id,
trustedMode: session.trusted_mode,
createdAt: session.created_at,
}
: {
// For API token auth, create a synthetic session object
// We know apiToken exists because userId came from it
id: 0,
id: "0",
trustedMode: true,
createdAt: apiToken?.created_at ?? new Date(),
};

6
apps/api-server/src/procedures/auth/login-password.ts
View File

@@ -110,7 +110,11 @@ export const loginPassword = os.auth.loginPassword.handler(
// Password is valid - check if device is trusted
// If no device fingerprint, treat as untrusted
const deviceTrusted = result.device_fingerprint
? await isDeviceTrusted(context.db, result.user_id, result.device_fingerprint)
? await isDeviceTrusted(
context.db,
result.user_id,
result.device_fingerprint,
)
: false;
if (deviceTrusted) {

2
apps/api-server/src/procedures/auth/logout.ts
View File

@@ -18,7 +18,7 @@ export const logout = os.auth.logout
await context.db
.updateTable("sessions")
.set({ revoked_at: new Date() })
.where("id", "=", String(context.session.id))
.where("id", "=", context.session.id)
.execute();
// Clear the session cookie

10
apps/api-server/src/procedures/auth/signup.ts
View File

@@ -2,16 +2,15 @@
* Signup procedure - creates a new user account with email + password or passkey
*/
import type { DB } from "@reviq/db-schema";
import type {
PublicKeyCredentialCreationOptionsJSON,
RegistrationResponseJSON,
} from "@simplewebauthn/types";
import type { Kysely } from "kysely";
import type { DB } from "@reviq/db-schema";
import type { RPInfo } from "../../utils/webauthn.js";
import { ORPCError } from "@orpc/server";
import { verifyRegistrationResponse } from "@simplewebauthn/server";
import { os } from "../base.js";
import {
COOKIE_NAMES,
COOKIE_OPTIONS,
@@ -24,6 +23,7 @@ import { getGeoInfo, getUserAgent } from "../../utils/geo.js";
import { hashPassword, validatePassword } from "../../utils/password.js";
import { createSession } from "../../utils/session.js";
import { getRPInfo, KNOWN_AAGUIDS } from "../../utils/webauthn.js";
import { os } from "../base.js";
/**
* Create user with password authentication
@@ -231,7 +231,11 @@ export const signup = os.auth.signup.handler(async ({ input, context }) => {
if (password) {
userId = await signupWithPassword(context.db, email, password);
} else if (passkeyInfo) {
const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
const rpInfo = getRPInfo(
context.origin,
context.allowedOrigins,
context.rpName,
);
userId = await signupWithPasskey(context.db, email, passkeyInfo, rpInfo);
} else {
// Should never reach here due to schema validation

10
apps/api-server/src/procedures/base.ts
View File

@@ -111,13 +111,13 @@ export const authMiddleware = os.middleware(async ({ context, next }) => {
const sessionInfo: Session = session
? {
id: Number(session.id),
id: session.id,
trustedMode: session.trusted_mode,
createdAt: session.created_at,
}
: {
// For API token auth, create a synthetic session object
id: 0,
id: "0",
trustedMode: true,
createdAt: apiToken?.created_at ?? new Date(),
};
@@ -133,7 +133,8 @@ export const authMiddleware = os.middleware(async ({ context, next }) => {
/**
* Login request middleware - validates login request token from cookie
*/
export const loginRequestMiddleware = os.middleware(async ({ context, next }) => {
export const loginRequestMiddleware = os.middleware(
async ({ context, next }) => {
const { db, reqHeaders } = context;
// Read login request token from cookie
@@ -195,7 +196,8 @@ export const loginRequestMiddleware = os.middleware(async ({ context, next }) =>
user: sessionUser,
},
});
});
},
);
/**
* Superuser middleware - requires admin access (must be used after authMiddleware)

172
apps/api-server/src/router.ts
View File

@@ -9,7 +9,11 @@ import { resendVerificationEmail as resendVerificationHandler } from "./procedur
import { resetPassword as resetPasswordHandler } from "./procedures/auth/reset-password.js";
import { signup as signupHandler } from "./procedures/auth/signup.js";
import { verifyEmail as verifyEmailHandler } from "./procedures/auth/verify-email.js";
import { authMiddleware, loginRequestMiddleware, os } from "./procedures/base.js";
import {
authMiddleware,
loginRequestMiddleware,
os,
} from "./procedures/base.js";
import {
createAuthenticationOptions as createAuthOptions,
createRegistrationOptions as createRegOptions,
@@ -39,7 +43,11 @@ const createRegistrationOptions =
// For signup flow, we don't have a user yet
// The user will be created when signup is called with the passkeyInfo
const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
const rpInfo = getRPInfo(
context.origin,
context.allowedOrigins,
context.rpName,
);
const result = await createRegOptions(context.db, rpInfo, { email });
return result;
@@ -51,14 +59,22 @@ const verifyRegistration = os.auth.webauthn.verifyRegistration
.handler(async ({ input, context }) => {
const { challengeId, response } = input;
const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
const rpInfo = getRPInfo(
context.origin,
context.allowedOrigins,
context.rpName,
);
await verifyReg(context.db, rpInfo, context.user.id, challengeId, response);
});
const createAuthenticationOptions = os.auth.webauthn.createAuthenticationOptions
.use(loginRequestMiddleware)
.handler(async ({ context }) => {
const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
const rpInfo = getRPInfo(
context.origin,
context.allowedOrigins,
context.rpName,
);
const result = await createAuthOptions(context.db, rpInfo, context.user.id);
return result;
});
@@ -68,7 +84,11 @@ const verifyAuthentication = os.auth.webauthn.verifyAuthentication
.handler(async ({ input, context }) => {
const { challengeId, response } = input;
const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
const rpInfo = getRPInfo(
context.origin,
context.allowedOrigins,
context.rpName,
);
const verified = await verifyAuth(
context.db,
rpInfo,
@@ -89,11 +109,15 @@ const meGet = os.me.get.use(authMiddleware).handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const setupProfile = os.me.setupProfile.use(authMiddleware).handler(async () => {
const setupProfile = os.me.setupProfile
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const updateProfile = os.me.updateProfile.use(authMiddleware).handler(async () => {
const updateProfile = os.me.updateProfile
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
@@ -105,7 +129,7 @@ const setPassword = os.me.setPassword.use(authMiddleware).handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const listPasskeys = os.me.listPasskeys
const passkeysList = os.me.passkeys.list
.use(authMiddleware)
.handler(async ({ context }) => {
const passkeys = await getUserPasskeys(context.db, context.user.id);
@@ -118,22 +142,7 @@ const listPasskeys = os.me.listPasskeys
}));
});
const createPasskey = os.me.createPasskey
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { name: _name } = input;
const rpInfo = getRPInfo(context.origin, context.allowedOrigins, context.rpName);
const result = await createRegOptions(context.db, rpInfo, {
id: context.user.id,
email: context.user.email,
displayName: context.user.displayName,
});
return result;
});
const renamePasskey = os.me.renamePasskey
const passkeysRename = os.me.passkeys.rename
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { passkeyId, name } = input;
@@ -146,7 +155,7 @@ const renamePasskey = os.me.renamePasskey
.execute();
});
const deletePasskey = os.me.deletePasskey
const passkeysDelete = os.me.passkeys.delete
.use(authMiddleware)
.handler(async ({ input, context }) => {
const { passkeyId } = input;
@@ -177,19 +186,27 @@ const deletePasskey = os.me.deletePasskey
.execute();
});
const listSessions = os.me.listSessions.use(authMiddleware).handler(async () => {
const listSessions = os.me.listSessions
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const revokeSession = os.me.revokeSession.use(authMiddleware).handler(async () => {
const revokeSession = os.me.revokeSession
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const revokeAllSessions = os.me.revokeAllSessions.use(authMiddleware).handler(async () => {
const revokeAllSessions = os.me.revokeAllSessions
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const getDeviceInfo = os.me.getDeviceInfo.use(authMiddleware).handler(async () => {
const getDeviceInfo = os.me.getDeviceInfo
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
@@ -197,11 +214,15 @@ const trustDevice = os.me.trustDevice.use(authMiddleware).handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const listTrustedDevices = os.me.listTrustedDevices.use(authMiddleware).handler(async () => {
const listTrustedDevices = os.me.listTrustedDevices
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const untrustDevice = os.me.untrustDevice.use(authMiddleware).handler(async () => {
const untrustDevice = os.me.untrustDevice
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
@@ -237,32 +258,46 @@ const orgsLeave = os.orgs.leave.use(authMiddleware).handler(async () => {
});
// Orgs members procedures
const membersList = os.orgs.members.list.use(authMiddleware).handler(async () => {
const membersList = os.orgs.members.list
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const membersUpdateRole = os.orgs.members.updateRole.use(authMiddleware).handler(async () => {
const membersUpdateRole = os.orgs.members.updateRole
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const membersRemove = os.orgs.members.remove.use(authMiddleware).handler(async () => {
const membersRemove = os.orgs.members.remove
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
// Orgs invites procedures
const invitesList = os.orgs.invites.list.use(authMiddleware).handler(async () => {
const invitesList = os.orgs.invites.list
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const invitesCreate = os.orgs.invites.create.use(authMiddleware).handler(async () => {
const invitesCreate = os.orgs.invites.create
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const invitesCancel = os.orgs.invites.cancel.use(authMiddleware).handler(async () => {
const invitesCancel = os.orgs.invites.cancel
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const invitesAccept = os.orgs.invites.accept.use(authMiddleware).handler(async () => {
const invitesAccept = os.orgs.invites.accept
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
@@ -272,7 +307,9 @@ const sitesList = os.orgs.sites.list.use(authMiddleware).handler(async () => {
});
// Admin orgs procedures (require superuser - for now just auth, will add superuser middleware later)
const adminOrgsList = os.admin.orgs.list.use(authMiddleware).handler(async () => {
const adminOrgsList = os.admin.orgs.list
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
@@ -280,53 +317,77 @@ const adminOrgsGet = os.admin.orgs.get.use(authMiddleware).handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminOrgsCreate = os.admin.orgs.create.use(authMiddleware).handler(async () => {
const adminOrgsCreate = os.admin.orgs.create
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminOrgsUpdate = os.admin.orgs.update.use(authMiddleware).handler(async () => {
const adminOrgsUpdate = os.admin.orgs.update
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminOrgsDelete = os.admin.orgs.delete.use(authMiddleware).handler(async () => {
const adminOrgsDelete = os.admin.orgs.delete
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminOrgsListSites = os.admin.orgs.listSites.use(authMiddleware).handler(async () => {
const adminOrgsListSites = os.admin.orgs.listSites
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminOrgsAddSite = os.admin.orgs.addSite.use(authMiddleware).handler(async () => {
const adminOrgsAddSite = os.admin.orgs.addSite
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminOrgsRemoveSite = os.admin.orgs.removeSite.use(authMiddleware).handler(async () => {
const adminOrgsRemoveSite = os.admin.orgs.removeSite
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
// Admin users procedures
const adminUsersList = os.admin.users.list.use(authMiddleware).handler(async () => {
const adminUsersList = os.admin.users.list
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminUsersGet = os.admin.users.get.use(authMiddleware).handler(async () => {
const adminUsersGet = os.admin.users.get
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminUsersCreate = os.admin.users.create.use(authMiddleware).handler(async () => {
const adminUsersCreate = os.admin.users.create
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminUsersUpdate = os.admin.users.update.use(authMiddleware).handler(async () => {
const adminUsersUpdate = os.admin.users.update
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
const adminUsersConfirmEmail = os.admin.users.confirmEmail.use(authMiddleware).handler(async () => {
const adminUsersConfirmEmail = os.admin.users.confirmEmail
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
// Admin auth procedures
const adminAuthCompleteLogin = os.admin.auth.completeLogin.use(authMiddleware).handler(async () => {
const adminAuthCompleteLogin = os.admin.auth.completeLogin
.use(authMiddleware)
.handler(async () => {
throw new ORPCError("NOT_IMPLEMENTED", { message: "Not implemented" });
});
@@ -356,10 +417,11 @@ export const router = os.router({
updateProfile,
delete: meDelete,
setPassword,
listPasskeys,
createPasskey,
renamePasskey,
deletePasskey,
passkeys: {
list: passkeysList,
rename: passkeysRename,
delete: passkeysDelete,
},
listSessions,
revokeSession,
revokeAllSessions,